Alleged Large Scale GDPR Breach at Microsoft Office Under Investigation

Microsoft Office is being investigated by Dutch investigators because of claims there has been a violation of the EU’s General Data Protection Regulations (GDPR) concerning the gathering of data by the software, which includes the content of personal email messages.

The reviewers of the supposed breach in the Netherlands stated that their investigation of Microsoft Office resulted to the discovery of large scale gathering of personal information. It is believed that users did not know about the data collection and therefore did not give their authorization.

According to a Microsoft spokesman, Microsoft is committed to customers’ personal privacy. Users have control over their data and Office ProPlus, as well as other Microsoft products and services, abide by the GDPR and other pertinent regulations. The company values the chance to talk with the Dutch Ministry of Justice about its diagnostic data handling procedures for Office ProPlus and expects to successfully resolve any concerns.

Microsoft explains that the data collection was made only for functional and security purposes; however, the investigators said they discovered Microsoft collected information such as email subject lines and tidbits of email content. Early this year, Microsoft relocated its data collection to Europe to comply with the GDPR. In the past, they have exported information from the EU to US data centers.

Privacy Company is the third-party consultancy that executed the audit, which reported that Microsoft operated large scale and secret processing of client data. As mentioned in the report from the Ministry of Justice, Windows 10 Enterprise and Microsoft Office are gathering information supplied by and about users and are storing them in a US database in a manner that threatened users’ privacy.

In response, Microsoft agreed to carry out an enhancement plan for its services, which will be submitted for verification in April 2019. The company was given some space to deal with the issues in data processing, however, if they are not sufficiently addressed massive fines could be issued. Under the GDPR, the maximum fine for noncompliance is €20 million or 4% of annual global revenue, whichever is higher.

The news comes at a time when privacy advocates all over the EU were submitting complaints to local data protection authorities regarding the data management and processing by Facebook, Google, and several other online and social media related-businesses.